Breachwire.riscent

Breach report

The unlocked memory of AI apps: exposed vector databases with no authentication

PWA & Startup BreachesHigh2025-01
The bottom lineVector databases that back RAG applications are frequently deployed with no authentication, letting attackers who reach them exfiltrate embeddings, partially reconstruct source documents via model inversion, and poison retrieval — a documented misconfiguration class.
Category
PWA & Startup Breaches
Type
Vulnerability class (exposed data stores)
Date
2025-01
Severity
High
OWASP
LLM08 Vector and Embedding Weaknesses
CWE / CVE
CWE-306

What happened

Vector databases — Chroma, Weaviate, Pinecone, Milvus, Qdrant and others — store the embeddings that power Retrieval-Augmented Generation (RAG). Security researchers describe a recurring misconfiguration class: instances deployed with open network ports and no authentication, discoverable through port scanning, service fingerprinting, and connection strings leaked in public repositories. This entry describes the vulnerability class as documented; it does not assert a specific count of exposed instances. With unauthenticated access, an attacker can query the store, read the proprietary embeddings, and treat the AI system's knowledge layer as a direct attack surface.

Root cause

Many vector stores ship with authentication off by default (CWE-306) to make local development easy, and teams carry that default into internet-facing deployments. The RAG app works — it retrieves context and answers questions — while the invariant "only the application may read or write the knowledge base" is never enforced. Three concrete harms follow: embedding exfiltration and model inversion, where an attacker extracts vectors and partially reconstructs the original sensitive documents; vector poisoning, where write access injects malicious embeddings that subvert the model's grounding into returning false or attacker-chosen answers; and prompt-injection orchestration, where knowing exactly what context is retrievable lets an attacker craft precise injections.

How it would have been caught

A test that connects to the vector store's endpoint from off-host with no credentials and asserts the connection is refused flips red on any exposed instance. An asset scan for the store's ports reachable from the public internet catches the exposure. A poisoning check writes a known-bad vector without auth and confirms it is rejected. Each is a direct, unauthenticated reproduction.

How to prevent it

  • Require authentication on every vector database and never expose it to the public internet — reach it over a private network from the application only.
  • Separate read and write credentials; deny anonymous writes so retrieval cannot be poisoned.
  • Treat embeddings as sensitive data: they can be inverted back toward source content. Encrypt at rest and monitor for bulk-export queries.

The Breachwire test (red → green)

From an external host with no credentials, connect to the vector store and confirm you can read embeddings or write a new vector — the RED proof it is open. Enable authentication and restrict it to a private network with read/write separation, then confirm the same unauthenticated connection is refused for both reads and writes, while the application still queries with its scoped credential.